![Page 1: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/1.jpg)
1
Finding Needles in Haystacks
(the size of Countries)[email protected]@cloudjunky
[email protected]@dsturnbull
[email protected]@gakman
![Page 2: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/2.jpg)
2
2011
![Page 3: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/3.jpg)
3
We all know the story
![Page 4: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/4.jpg)
4
The CEO thinks the network is...
![Page 5: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/5.jpg)
5
![Page 6: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/6.jpg)
6
The Blackhats are...
![Page 7: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/7.jpg)
7
![Page 8: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/8.jpg)
8
Or is it?
![Page 9: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/9.jpg)
9
![Page 10: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/10.jpg)
10
This is you
![Page 11: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/11.jpg)
11
![Page 12: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/12.jpg)
12
Some Consultants are..
![Page 13: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/13.jpg)
13
![Page 14: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/14.jpg)
14
And guaranteed you are going to be
asked to...
![Page 15: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/15.jpg)
15
Enhance!
![Page 16: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/16.jpg)
16
Why is this funny?
![Page 17: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/17.jpg)
1717
![Page 18: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/18.jpg)
18
Prevention Fails.
![Page 19: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/19.jpg)
19
Detection is the key.
![Page 20: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/20.jpg)
20
NSM - “Analysis and escalation of indications and warnings to
detect and respond to intrusions”
- Richard Bejtlich
![Page 21: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/21.jpg)
21
NSM - “focused on providing an intrusion analyst with the best
possible information in the shortest amount of time” -
NSMWiki
![Page 22: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/22.jpg)
22
Network Security Monitoring
• Advocates focus on detection and that prevention will fail.
• Believes in inventoried and defensible networks.• Build entropy from alert (attack) information.• Provide analysts with the accurate information
and context as fast as possible.• Products provide collection, People the analysis
![Page 23: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/23.jpg)
23
Network Security Monitoring
• Examples of NSM Tools– Sguil– Argus– Flowgrep– Snort– Bro– Network Miner
• Tools -> Collection, Humans -> Analysis
![Page 24: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/24.jpg)
24
It’s all about context.
![Page 25: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/25.jpg)
25
Context
• Going back to the well.• Providing as much context as possible in
relation to attacks and attackers.• Security analysis is detective work.• Able to ask What if? Branch our analysis. React
to new information.• Providing full fidelity and full context quickly.
![Page 26: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/26.jpg)
26
![Page 27: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/27.jpg)
27
That’s no moon.
• Pretty WebGL globe by Google.• Each line represents a source IP address of an
attacker.• Height is frequency and Colour is Severity• The destination (victim) is located in Sydney
Australia.• Approximately 420K Snort alerts in a 12 day
period.
![Page 28: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/28.jpg)
28
Full Packet Capture
• Complete record of all network transactions.• If the attack takes place across a network it is
in the packet captures.• Provides the highest fidelity to analysts.• Only way to really understand subtle and
targeted attacks.• Played, Paused, Stop, Rewind using NSM tools.• No need to have specific logging setup.
![Page 29: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/29.jpg)
29
NSM + FPC = > % OPTIONS
![Page 30: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/30.jpg)
30
“The difficulty shifts from traffic collection to traffic analysis. If
you can store hundreds of gigabytes of traffic per day,
how do you make sense of it?”- Richard Bejtlich
![Page 31: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/31.jpg)
31
![Page 32: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/32.jpg)
32
Big Data Scale
• I want to ask a 2.5TB question– Process 2.5TB, 8 hours, 4 Compute units.– Process 2.5TB, 4 hours , 8 Compute units.– Process 2.5TB, 2 hours, 16 Compute units.– Process 2.5TB, 1 hour, 32 Compute units.– Process 2.5 TB, 30 minutes, 64 Compute units.– Process 2.5 TB , 15 minutes, 128 Compute units.
• Scale my compute to answer my question.
![Page 33: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/33.jpg)
33
Big Data Scale
![Page 34: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/34.jpg)
34
Distributed Processing
• Google Map Reduce Whitepaper (2004)• Google File System Whitepaper (2003)• Hadoop is an Apache Project for M/R (2007)• Hadoop File System is a distributed file system
for Hadoop nodes (2007)• Pig is a data analysis language to ease the
creation of Map / Reduce jobs that run on Hadoop Clusters (2008)
![Page 35: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/35.jpg)
35
![Page 36: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/36.jpg)
36
Pig
• A acyclic data flow (analysis) language.• Transforms data rather than queries data.– Think key/value.
• Builds map reduce jobs that are distributed across a Hadoop Cluster.
• Write and debug on your laptop and run on the cluster.
• Relatively easy to learn and brute force.
![Page 37: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/37.jpg)
37
Pig
• Loaders• Types • UDFs• Java• Scripts (Python) and • Binaries (p0f and Snort)
![Page 38: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/38.jpg)
38
Piglatin
• The data analysis language for Pig scripts• Group on keys and iterate values• Iterate using FOREACH• Filter, Distinct, Sort, Count, Avg, Sum• Join (LEFT, OUTER)• Piggybank community tools.• Illustrate, Explain, Dump or Store.
![Page 39: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/39.jpg)
40
@packetpig
• Packetloop + Pig = Packetpig• https://github.com/packetloop/packetpig• Open Source, Big Data, Security Analytics• One stop shop for Network Security
Monitoring for large data sets.• Capable of integrating other NSM tools and
LOGS!• Visualisations
![Page 40: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/40.jpg)
42
@packetpig - Features
• Wireshark the Internet!!• Bin Time• Threat Analysis• Traffic Analysis• Conversations and Flows• Geo-Location• Operating System Fingerprinting• File Dissection
![Page 41: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/41.jpg)
43
![Page 42: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/42.jpg)
44
Wireshark the Internet!
• Access to raw packet captures• Query, filter, group, sort, count or average
anything in the IP, TCP and UDP Headers.• PacketLoader() acts as a base class for most
Loaders.• Used for bandwidth, packets per second,
breakdown by protocol and global queries.• Search for strange combination of TCP flags
![Page 43: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/43.jpg)
45
Demo
![Page 44: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/44.jpg)
46
Binning Time
• Packetpig can process billions and billions of data points.
• Most other software can’t handle loading datasets that big.
• Bin on 5m, 30m, 1h, 4h, 8h, 12h, 24h etc.• Convert your bin time to seconds and pass as
parameter to Packetpig scripts.• Anything with a timestamp can be binned.
![Page 45: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/45.jpg)
47
Demo
![Page 46: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/46.jpg)
48
Threat Analysis
• SnortLoader() is a wrapper for Snort.• Runs Snort distributed across Hadoop nodes.• Pass different snort.conf at run time.• Snort output is returned to the script.• Loader returns the following schema.– Timestamp, Sig ID, Priority, Message, Protocol, – Source IP, SPort, Destination IP, DPort
![Page 47: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/47.jpg)
49
Geo Location
• GeoIP User Defined Function (UDF)• Wraps the Maxmind Geoip Java library.• Returns– Country– ASNum– Lat/Long
• Can be used in any script with any loader.
![Page 48: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/48.jpg)
50
Demo
![Page 49: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/49.jpg)
51
![Page 50: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/50.jpg)
52
![Page 51: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/51.jpg)
53
![Page 52: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/52.jpg)
54
Traffic Analysis• Detecting covert and encrypted channels• Packet Size– “Traffic analysis of SSL Encrypted Web Browsing” - Heyning
Cheng and Ron Avnur
• Packet Size / Inter-packet delay– “Datamining for Hackers” - Stefan Burschka at the Chaos
Communications Conference.
• Packet Size and Ngram analysis– “Anomalous Payload-based Network Intrusion Detection” -
Ke Wang and Salvatore J Stolfo.
![Page 53: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/53.jpg)
55
Ngram Analysis
• Analyse packet payloads for what ASCII codes are used between 0-255.
• Perform unigram, bigram and trigram analysis.• Analyse the number of characters uses in a
frequency of byte ordered plot.• Packetpig supports N number of grams.
![Page 54: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/54.jpg)
56
![Page 55: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/55.jpg)
57
![Page 56: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/56.jpg)
58
![Page 57: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/57.jpg)
59
Deep Packet Inspection
• DNSConversationLoader()– Access DNS queries and responses– Timestamp, Query ID, Mode, Name, IP Address and
TTL
• HTTPConversationLoader()– Access to HTTP fields (e.g. user-agent, set-cookie,
etag)– Access to requests and responses.
![Page 58: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/58.jpg)
60
DemoBasic DNS, HTTP
![Page 59: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/59.jpg)
61
Malware Domain Analysis
• Track increases and decreases in the number of queries per domain.
• Track the TTL for domains and see how they change over time.
• Track the number of IP’s returned for each domain and how many distinct countries those IP’s reside in.
![Page 60: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/60.jpg)
62
![Page 61: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/61.jpg)
63
![Page 62: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/62.jpg)
64
Conversations / Flows
• Track conversation establishment and termination
• Return all packets related to a conversation• Return inter-packet delay• Return the size of packets in the conversation.• Return the end state of the conversation
![Page 63: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/63.jpg)
65
OS Fingerprinting
• FingerprintLoader() is a wrapper for @lcamtuf’s p0f
• FingerprintLoader() returns the information from p0f to the Pig script.
• Perform passive operating system detection across terabytes of data.
![Page 64: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/64.jpg)
66
Demo
![Page 65: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/65.jpg)
67
File Extraction
• Analyse every conversation on the network.• Extraction or just output information– Choose whether to extract files or not.– Extract based on mime type or file extension.– Extract or search for particular hashes.
• Additional file information through libmagic.• Output file name, file type, name, extension,
MD5, SHA1, SHA256 hashes.
![Page 66: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/66.jpg)
68
Demo
![Page 67: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/67.jpg)
69
Is Big Data - Big Surveillance?• Packet capture is analogous to wire
tapping.• Distributed processing of full network
data starts to worry you.• Potential for mis-use, surveillance, data
warehouses.• Reputation services that sell dossiers on
hashed IP addresses.• Data mining ‘networks’ for long periods.
![Page 68: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/68.jpg)
70
A Simple Experiment
![Page 69: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/69.jpg)
72
![Page 70: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/70.jpg)
73
Torrents
• Connect to the top torrent trackers like the PirateBay 100, dump Seeders and Leechers.
• Record the BitTorrent Client type (entropy).• Look at all attacks on a particular dataset• Join Torrent Data and Snort data on Source IP• What files are downloaded by the people that
trigger IDS alerts?• Does Torrent data allow me to triangulate?
![Page 71: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/71.jpg)
74
Torrent Results
![Page 72: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/72.jpg)
75
A Decent Join
• 420,000 security events over a 12.49 day period
• 3 Billion Packets analysed.• Total size of the data was 2.5TB.• 1,890 sources of attack (distinct IP’s)• 168,490 torrent peers (seeders and leechers)• Around 242 torrents from tracking the PB top
100 for Movies, Music, Books
![Page 73: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/73.jpg)
76
Attackers and Torrents
• 17 IP addresses matched attacks and torrents.• 5 Countries - Australia, China, South Africa,
Phillipines, Singapore.• Mainly protocol anomalies and Spyware
upload detection.• Two cases are worth looking into further.• Use Packetpig to gather Snort, Torrent, p0f and
User-Agent data.
![Page 74: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/74.jpg)
77
Torrent Files• Justice.League.Doom.2012.BRRip.XviD.Ac3.Feel-Free
• Tower Heist (2011) DVDRip XviD-MAXSPEED
• Friends with Benefits 2011 R5 LiNE READNFO XViD-IMAGiNE
• The.Adventures.of.Tintin.2011.1080p.BluRay.x264-MaxHD
• 7 Weeks to 100 Push-Ups: Strengthen and Sculpt Your Arms, Abs, C
• The Walking Dead S02E04 HDTV XviD-ASAP[ettv]
• Footloose.2011.DVDRip.XviD- PADDO
• Thor (2011) DVDRip XviD-MAX
• Daredevil - Soundtrack:-:Thar
• Rise of the Planet of the Apes (2011) DVDRip XviD-MAX
• Revenge S01E15 HDTV XviD-LOL [VTV]
• 1000 Photoshop Tips and Tricks (Dec 2010)-Mantesh
• CSI.S12E14.HDTV.XviD-LOL.avi
![Page 75: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/75.jpg)
78
The Suspects
• Two attackers analysed due to Snort Alert severity.
• The South African.– Snort triggering on Spyware ‘PUT’ to a web site.
• The Australian.– Protocol anomalies that are worth investigating.
![Page 76: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/76.jpg)
79
The South African
• 9 IP addresses from AS5713 SAIX-NET• Reverse DNS links them to SAIX Proxies.– e.g. wblv-ip-pcache-4-vif0.telkom-ipnet.co.za.
• Attacks– (http_inspect) LONG HEADER– SPYWARE-PUT Trackware funwebproducts
mywebsearchtoolbar-funtools runtime detection
![Page 77: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/77.jpg)
80
Let’s Enhance!
![Page 78: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/78.jpg)
81
The South African
• Packetpig UDF provided two lat/longs but they were worthless.
• Linked to 7 Torrent files.– “7 Weeks to 100 Push-Ups: Strengthen and Sculpt Your Arms,
Abs, C” linked two IP addresses to the one user.– “The.Adventures.of.Tintin.2011.DVDRip.XviD-TARGET” linked
another two IP addresses to another user.– User-agents for these individual users confirmed this.
• Using torrents as a way to triangulate works.
![Page 79: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/79.jpg)
82
The South African
• Google the IP addresses.• Linked to a botnet traffic– Spreading malware and forum spam.
• Likely some home machine that’s torrents and is also infected with Malware.
![Page 80: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/80.jpg)
83
![Page 81: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/81.jpg)
84
![Page 82: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/82.jpg)
8585
![Page 83: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/83.jpg)
86
Packetpig Query
• Packetpig – SnortLoader() – FingerPrintLoader()– HTTPConversationLoader()– GeoIP UDF to determine Country, ASNum, Lat/Long– Torrent output as a CSV text file.
![Page 84: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/84.jpg)
87
Packetpig Query
• All 9 IP addresses are OpenBSD 3.X• A number of distinct user-agents making
requests of different web sites.• User-agents triggering alerts include the
Trident/4.0 or Trident/5.0 and FunWebProducts user-agent strings.
• Host,Connection=[keep-alive],Accept=[*/*],?Referer,Accept-Language=[en-ZA],User-Agent,Accept-Encoding=[gzip, deflate],?X-Forwarded-For,?Via:Accept-Charset,Keep-Alive:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; FunWebProducts; GTB7.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; InfoPath.)
![Page 85: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/85.jpg)
88
Conclusion
• Just some infected Windows machines sitting behind OpenBSD proxies that were browsing a website.
• When analysing the HTTP queries there were no PUTs.
• Snort signature is matching on the user-agent.• No reason to run more detailed jobs to dump
all conversations, protocols or files.
![Page 86: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/86.jpg)
89
The Australian
• Single IP address from AS18291 Vodafone Australia.
• Attacks (read: Crimes!)– TCP Timestamp is outside of PAWS window– Bad segment, adjusted size <= 0
• Packetpig geoip provides a Lat/Long.
![Page 87: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/87.jpg)
90
Packetpig Query
• Packetpig – SnortLoader() – FingerPrintLoader()– HTTPConversationLoader()– GeoIP UDF to determine Country, ASNum, Lat/Long– Torrent output as a CSV text file.
![Page 88: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/88.jpg)
91
Let’s Enhance!
![Page 89: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/89.jpg)
92
![Page 90: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/90.jpg)
93
![Page 91: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/91.jpg)
94
![Page 92: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/92.jpg)
95
![Page 93: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/93.jpg)
96
![Page 94: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/94.jpg)
97
![Page 95: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/95.jpg)
98
![Page 96: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/96.jpg)
99
Just before calling the police...
![Page 97: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/97.jpg)
100
![Page 98: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/98.jpg)
101101
![Page 99: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/99.jpg)
102102
![Page 100: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/100.jpg)
103103
![Page 101: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/101.jpg)
104
Moral of the story...
![Page 102: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/102.jpg)
105
Moral of the Story
• In both cases IDS alerts can be investigated quickly through a joined query.
• Joining Snort Source IP with p0f, http and torrent data provides additional context.
• Torrent data provides triangulation when matched to user-agent information.
• Didn’t justify a query of all connections, sessions, protocols and files for these sources.
![Page 103: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/103.jpg)
106
What about TOR?
![Page 104: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/104.jpg)
107
TOR
• Track TOR Exit Gateways every hour.• Record every IP address with Geo information• Correlate TOR Gateway addresses with sources
of attack on the network.
![Page 105: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/105.jpg)
108
TOR Results
![Page 106: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/106.jpg)
109
Future Features
• Statistical Analysis• Machine Learning.• Loaders for more NSM tools.• Sentiment Analysis• Build Lucene search indexes.
![Page 107: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/107.jpg)
110
Questions?
![Page 108: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/108.jpg)
111
Feedback forms
![Page 109: Finding Needles in Haystacks (The Size of Countries)](https://reader035.vdocument.in/reader035/viewer/2022062312/554de35cb4c905c70e8b5683/html5/thumbnails/109.jpg)
112
Information
• Packetpig– https://github.com/packetloop/packetpig– @packetpig on twitter.
• Packetloop– www.packetloop.com– @packetloop on twitter.– blog.packetloop.com